Vulnerability in FancyBox Plugin for WordPress – Update immediately

A serious vulnerability has been discovered in the FancyBox plugin for WordPress. Please upgrade immediately to FancyBox 3.0.4 and monitor your site for infections. Also upgrade immediately if you see any further releases from FancyBox because the issue may need further patching.

The issue emerged yesterday on the WordPress forums, was investigated by our colleagues in infosec at Sucuri and through some excellent work by Daniel Cid and his team they identified what appears to be a zero day in the FancyBox plugin.

Update FancyBox for WordPress immediately and monitor your site and the FancyBox plugin for releases.

 

Did you enjoy this post? Share it!

Comments

18 Comments
  • Just wondering if this impacts the EasyFancyBox plugin for WordPress? I don't use FancyBox but I do indeed use EasyFancyBox.....

    I have not seen an update for EasyFancyBox but am wondering if I could be vulnerable - how can I check/verify the exploit doesn't exist in this plugin?

    Any ideas/thoughts would be great!

    • HI Jonathan, see below. I did some analysis and it looks like the answer is no.

      • Thanks Mark - appreciate the effort to compare the code and get back!

  • What about Easy Fancy Box? https://wordpress.org/plugins/easy-fancybox/ is this at risk as well?

    • Hi Charlie. See below. The answer appears to be no.

  • Always appreciate these notifications. Thank you!

    Anybody know if this also applies to the Easy Fancybox plugin?

    https://wordpress.org/plugins/easy-fancybox/

    • Hi. I've looked at https://wordpress.org/plugins/easy-fancybox/ and the code is very different. The only files that are the same are image files. I've also searched for the code that Fancybox for WordPress fixed and did not find it in Easy Fancybox. So I don't think this vulnerability exists in Easy Fancybox.

  • Does this also apply to the Fancy Gallery plugin? Thanks.

    • No I don't think it does. The code for Fancy Gallery looks very different, it doesn't contain the vulnerable code from FancyBox for WP and there isn't a single source or other file that matches.

      • Thank you Mark for checking.

  • What about Nextgen Gallery? Particular folder "/plugins/nextgen-gallery/products/photocrati_nextgen/modules/lightbox/static/fancybox"

    • I haven't checked, but just because it says 'fancybox' doesn't suggest a vulnerability. It looks like it was a vulnerability in this plugins code only.

  • I asked on the Nextgen Gallery support and was told it isn't anyways, since it is part of a library. Still leaves me with trying to figure out what triggers 504 errors. Only happens when I block certain IP addresses in Wordfence (which isn't my own IP of course, as it wouldn't allow that anyways). Whole unrelated other issue.

    Link to response - https://wordpress.org/support/topic/fancybox-included-with-nextgen-affected-by-vulnerbilty?replies=2#post-6528877

  • Pardon my ignorance, but what's a zero day?

    • A zero-day vulnerability simply means that it is an active vulnerability that is affecting all users and was probably around for a while. Think of it as a new and active exploit that is still needing to be patched.

  • Unfortunately it looks like the patch for this vulnerability has caused additional issues within the plugin, namely, a broken portion of the options page - https://www.cryptobells.com/fancybox-for-wordpress-zero-day-and-broken-patch/

  • Hey guys, it seems that Wordfence is being triggered by the WPTavern post about 203koko being stored in Dashboard Blogroll caches, making people panic even though they never had fancybox-for-wordpress https://wordpress.org/support/topic/possible-malware-2/page/3?replies=87#post-6532356

    The exploit as seen in the wild did not store the URL in PHP, but rather in the database. Might help finetune the signature for it a bit. Hope this helps.

    • Thanks Gennady, but this is actually a malicious URL which is why it's being flagged and if it's in the blogroll cache that means it's exposed on he dashboard? So I think it's not a false positive and anyone who wants to ignore the warning from WF should just click the ignore option.